With the rise of serious cyber attacks, companies are on the cusp of a dramatic change in the way they manage and disclose this risk, says Ramona Dzinkowski
This article was first published in the April 2018 China edition of Accounting and Business magazine.
Cyber risk has been elevated to one of the top issues facing industry in 2018. For example, FireEye and Marsh & McLennan estimate that in 2016, cyber hackers stole more than US$75m from a Belgian bank and US$50m from an Austrian aircraft parts manufacturer.
But perhaps the worst case so far is that of Equifax, whose revenues fell 27% immediately after a massive hacking of personal data. It lost an estimated US$4bn in stock market value.
Whether there are worse examples remains to be seen. Companies might be in the dark for months – some estimates say it could be 205 days – before detecting a breach. A 2017 survey of 92 US companies by Willis Towers Watson found that one in five had suffered a cyber breach in 2016. Two-thirds saw cyber risk as a fundamental challenge to their business and 85% viewed it as a top priority. Half had implemented various risk management activities but had not formally articulated a cyber strategy.
With the increasing incidence of devastating cyber attacks, both EU and US companies are on the cusp of a dramatic change in the way they manage and disclose the risk.
In Europe, the General Data Protection Regulation (GDPR) comes into force in May. Violations of these rules resulting in data breaches could cost companies up to €20m in fines, or 4% of global annual turnover for the preceding financial year – clearly defining the relationship between a company’s data risk management practices and the office of the CFO.
Meanwhile, the US Securities and Exchange Commission (SEC) has published updated guidance on how public companies should disclose cybersecurity risks and breaches, broadening the scope of disclosure from its 2011 rule and strengthening the relationship between cyber risk, financial risk and the ongoing viability of the firm. The SEC has clearly identified where it would like more disclosure, including cost estimates for loss of reputation, relationships, revenue and competitive advantage, as well as legal and insurance costs.
Clearly, for smaller companies that lack the budget to accommodate specialists with titles like ‘global head of cyber risk’, evaluating and reporting the potential risks and associated costs can be daunting. External firms and subsequent security audits can help decrease the risk, but should systems fail, will companies be able to quantify the costs? Or will they rely on their insurers to do so?
I would argue that in order to get a complete picture of cyber risk it is essential for the accounting world and cyber insurers to frame the analysis within the six areas of capital defined by the International Integrated Reporting Council (IIRC). This framework offers the scope to capture the related impacts of a cyber attack; it has also become generally understood as a valuable way of reporting on the integrated nature of a firm’s assets and, given the SEC’s new recommendations, is likely to gain wider acceptance in the US.
Ramona Dzinkowski, Canadian economist and president of RND Research Group
"To get a complete picture of cyber risk to firms, the accounting world and cyber insurers need to frame the analysis within the six areas of capital"